Planning for collaborative servers and portlets

Portal, Express Beta Version 6.1
Operating systems: i5/OS, Linux,Windows

Planning for collaborative servers and portlets

Set up a site with IBM^® Lotus^® Domino^® Integration requires decisions about user directories, security, authentication, and performance for your suite of Domino and Extended Products servers and software. The use cases described in this topic are intended to help you make decisions leading to a successful Lotus Domino integration.

Determining the needs of your portal site

The following general use cases are intended only to provide some recommendations for your decisions about directories when integrating the Domino and Extended Products Portlets.

To identify your use case, ask yourself two questions about your site:

What directory are you already using, or do you want to use, for the user directory for WebSphere Portal Express?
Possible answers are: A: LDAP directory other than Lotus Domino, B: Lotus Domino LDAP directory.

What directory are you already using, or do you want to use, for the user directories for IBM Lotus Sametime^®?
Possible answers are: A: LDAP directory other than Lotus Domino, B: Lotus Domino LDAP directory, C: native (non-LDAP) Lotus Domino directory.

Use case	Your decisions about Lotus Domino integration
Single directory (LDAP other than Lotus Domino) site (1A+2A). You have WebSphere Portal Express installed and in active use. Your portal site is configured with an LDAP directory other than Lotus Domino (for the purposes of these scenarios, assume IBM Tivoli^® Directory Server, but any other LDAP has the same considerations) with a substantial user repository in active use. You intend to integrate collaborative portlets You want the Lotus Domino portlets to have online awareness features. You want users to be able to work in portlets without authentication other than logging into the portal (that is, you need the single sign-on feature). In fact, you may already have single sign-on enabled on your portal server. You do not yet have any Domino and Extended Products or servers installed, or if you have them, they are not yet configured for use with the portal.Note: If you have an existing Lotus Domino server you intend to integrate, make sure that its release is supported before you attempt to use it with the portal. See the Software for collaboration section in the WebSphere Portal Express hardware and sofware requirements. If the release is not supported, upgrade the Lotus Domino server before you can use it with the portal.	Your environment is typical of most portal customers. Follow the instructions for installation and integration in the rest of the Domino Integration and Messaging section of the Information center. You must install and set up a Lotus Sametime server to support awareness, as well as a Lotus QuickPlace server for team collaboration. We recommend that you configure them to authenticate against the LDAP directory already configured with your portal site. To enable single sign-on, configure it as a last task after installing and configuring new servers for Domino and Extended Products, to include all the new servers. Support for key features in the collaborative portlets such as auto-detection of users' mail files requires additional configuration in this environment.
Single directory (Lotus Domino LDAP) site (1B+2B) You have installed WebSphere Portal Express You have no LDAP user directory configured yet. You intend to integrate collaborative portlets You want the portlets to have online awareness features, and you want users to be able to work in portlets without authentication other than logging into the portal (that is, you need the single sign-on feature)	Your environment is recommended, especially for new portal sites, if you intend to make full use of Lotus Domino integration. Install and configure Lotus Domino as your LDAP directory for the portal, and then follow the instructions for installation and integration in the rest of the Domino Integration and Messaging section of the Information center. Fastpath: If you have WebSphere Portal 6.0.1 or later, this is the environment most suited to configuration with the Domino-WebSphere Portal Express Integration Wizard. It is a best practice to use the directory configured for Lotus Sametime and Lotus QuickPlace as the directory configured for the portal, and Lotus Domino LDAP is the best choice for Lotus Sametime and Lotus QuickPlace; therefore, in a new site we recommend using Lotus Domino LDAP as the single directory.
Dual directory-type site (LDAP other than Lotus Domino for portal with Lotus Domino LDAP for Lotus Sametime and Lotus QuickPlace user directories) (1A + 2B). You already have a mature installation of Lotus Domino servers including any of the following products: Lotus QuickPlace, Lotus Sametime, Domino Web Access (iNotes), Domino Document Manager. Your Lotus Domino servers are upgraded to a release supported by WebSphere Portal Express. You have newly installed WebSphere Portal Express or have the intention to deploy it. You may even have a mature portal site, but have not yet attempted to integrate it with your Lotus Domino installations. You intend to integrate collaborative portlets, especially messaging portlets to support your existing Lotus Domino mail and calendar users. You want the portlets to have online awareness features (your Lotus Domino users are accustomed to Lotus Sametime instant messaging), and you want users to be able to work in portlets without authentication other than logging into the portal (that is, you need the single sign-on feature).	Your environment is typical of many portal customers who have investments in both directories that must be maintained. Follow the instructions for installation and integration in the rest of the Domino Integration and Messaging section of the Information center. See the following topics for tasks specific to reconciling directories: Auto-detecting user mail information from a secondary LDAP server Resolving the portal user's log-in name with the user name on the Lotus Sametime server Configuring people awareness to work across Domino Directory and a non-Domino portal LDAP directory Reconciling single sign-on across Lotus Domino and another LDAP directory
Multiple directory-type site (LDAP other than Lotus Domino for portal with a combination of other directories, most likely native Lotus Domino directory for Lotus Sametime and Lotus Domino LDAP for Lotus QuickPlace) (1A + 2B + 2C) You already have a mature installation of Lotus Domino servers including any of the following products: Lotus QuickPlace, Lotus Sametime, Domino Web Access (iNotes), Domino Document Manager. Your Lotus Domino servers are upgraded to a release supported by WebSphere Portal Express. You have newly installed WebSphere Portal Express or have the intention to deploy it. You may even have a mature portal site, but have not yet attempted to integrate it with your Lotus Domino installations. You have a native Lotus Domino Directory (non-LDAP) in active use. One or more of the following products uses a native Lotus Domino Directory: Lotus QuickPlace, Lotus Sametime, Domino Document Manager. You intend to integrate collaborative portlets, especially messaging portlets, to support your existing Lotus Domino mail and calendar users. You want the portlets to have online awareness features (your users are accustomed to Lotus Sametime instant messaging), and you want users to be able to work in portlets without authentication other than logging into the portal (that is, you need the single sign-on feature).	Your environment is typical of many customers with mature Lotus Domino installations and an investment in an extensive native Lotus Domino directory who want to integrate portal. Follow the instructions for installation and integration in the rest of the Domino Integration and Messaging section of the Information center. To support SSO, reconcile authentication between user identifications in your native Lotus Domino directory and the portal LDAP directory. See the following topics for tasks specific to reconciling directories: Auto-detecting user mail information from a secondary LDAP server Resolving the portal user's log-in name with the user name on the Lotus Sametime server Configuring people awareness to work across Domino Directory and a non-Domino portal LDAP directory Reconciling single sign-on across Lotus Domino and another LDAP directory

Use case

Your decisions about Lotus Domino integration

Single directory (LDAP other than Lotus Domino) site (1A+2A).

You have WebSphere Portal Express installed and in active use.

Your portal site is configured with an LDAP directory other than Lotus Domino (for the purposes of these scenarios, assume IBM Tivoli^® Directory Server, but any other LDAP has the same considerations) with a substantial user repository in active use.

You intend to integrate collaborative portlets

You want the Lotus Domino portlets to have online awareness features.

You want users to be able to work in portlets without authentication other than logging into the portal (that is, you need the single sign-on feature). In fact, you may already have single sign-on enabled on your portal server.

You do not yet have any Domino and Extended Products or servers installed, or if you have them, they are not yet configured for use with the portal.Note: If you have an existing Lotus Domino server you intend to integrate, make sure that its release is supported before you attempt to use it with the portal. See the Software for collaboration section in the WebSphere Portal Express hardware and sofware requirements. If the release is not supported, upgrade the Lotus Domino server before you can use it with the portal.

Your environment is typical of most portal customers. Follow the instructions for installation and integration in the rest of the Domino Integration and Messaging section of the Information center.

You must install and set up a Lotus Sametime server to support awareness, as well as a Lotus QuickPlace server for team collaboration. We recommend that you configure them to authenticate against the LDAP directory already configured with your portal site.

To enable single sign-on, configure it as a last task after installing and configuring new servers for Domino and Extended Products, to include all the new servers.

Support for key features in the collaborative portlets such as auto-detection of users' mail files requires additional configuration in this environment.

Single directory (Lotus Domino LDAP) site (1B+2B)

You have installed WebSphere Portal Express

You have no LDAP user directory configured yet.

You intend to integrate collaborative portlets

You want the portlets to have online awareness features, and you want users to be able to work in portlets without authentication other than logging into the portal (that is, you need the single sign-on feature)

Your environment is recommended, especially for new portal sites, if you intend to make full use of Lotus Domino integration. Install and configure Lotus Domino as your LDAP directory for the portal, and then follow the instructions for installation and integration in the rest of the Domino Integration and Messaging section of the Information center.

Fastpath: If you have WebSphere Portal 6.0.1 or later, this is the environment most suited to configuration with the Domino-WebSphere Portal Express Integration Wizard.

It is a best practice to use the directory configured for Lotus Sametime and Lotus QuickPlace as the directory configured for the portal, and Lotus Domino LDAP is the best choice for Lotus Sametime and Lotus QuickPlace; therefore, in a new site we recommend using Lotus Domino LDAP as the single directory.

Dual directory-type site (LDAP other than Lotus Domino for portal with Lotus Domino LDAP for Lotus Sametime and Lotus QuickPlace user directories) (1A + 2B).

You already have a mature installation of Lotus Domino servers including any of the following products: Lotus QuickPlace, Lotus Sametime, Domino Web Access (iNotes), Domino Document Manager. Your Lotus Domino servers are upgraded to a release supported by WebSphere Portal Express.

You have newly installed WebSphere Portal Express or have the intention to deploy it. You may even have a mature portal site, but have not yet attempted to integrate it with your Lotus Domino installations.

You intend to integrate collaborative portlets, especially messaging portlets to support your existing Lotus Domino mail and calendar users.

You want the portlets to have online awareness features (your Lotus Domino users are accustomed to Lotus Sametime instant messaging), and you want users to be able to work in portlets without authentication other than logging into the portal (that is, you need the single sign-on feature).

Your environment is typical of many portal customers who have investments in both directories that must be maintained.

Follow the instructions for installation and integration in the rest of the Domino Integration and Messaging section of the Information center.

See the following topics for tasks specific to reconciling directories:

Auto-detecting user mail information from a secondary LDAP server

Resolving the portal user's log-in name with the user name on the Lotus Sametime server

Configuring people awareness to work across Domino Directory and a non-Domino portal LDAP directory

Reconciling single sign-on across Lotus Domino and another LDAP directory

Multiple directory-type site (LDAP other than Lotus Domino for portal with a combination of other directories, most likely native Lotus Domino directory for Lotus Sametime and Lotus Domino LDAP for Lotus QuickPlace) (1A + 2B + 2C)

You already have a mature installation of Lotus Domino servers including any of the following products: Lotus QuickPlace, Lotus Sametime, Domino Web Access (iNotes), Domino Document Manager. Your Lotus Domino servers are upgraded to a release supported by WebSphere Portal Express.

You have newly installed WebSphere Portal Express or have the intention to deploy it. You may even have a mature portal site, but have not yet attempted to integrate it with your Lotus Domino installations.

You have a native Lotus Domino Directory (non-LDAP) in active use. One or more of the following products uses a native Lotus Domino Directory: Lotus QuickPlace, Lotus Sametime, Domino Document Manager.

You intend to integrate collaborative portlets, especially messaging portlets, to support your existing Lotus Domino mail and calendar users.

You want the portlets to have online awareness features (your users are accustomed to Lotus Sametime instant messaging), and you want users to be able to work in portlets without authentication other than logging into the portal (that is, you need the single sign-on feature).

Your environment is typical of many customers with mature Lotus Domino installations and an investment in an extensive native Lotus Domino directory who want to integrate portal.

Follow the instructions for installation and integration in the rest of the Domino Integration and Messaging section of the Information center.

To support SSO, reconcile authentication between user identifications in your native Lotus Domino directory and the portal LDAP directory.

See the following topics for tasks specific to reconciling directories:

Auto-detecting user mail information from a secondary LDAP server

Resolving the portal user's log-in name with the user name on the Lotus Sametime server

Configuring people awareness to work across Domino Directory and a non-Domino portal LDAP directory

Reconciling single sign-on across Lotus Domino and another LDAP directory

Platform considerations

Depending upon platform, Lotus Domino servers in your environment may have slightly different task and/or registry requirements:

All platforms: Lotus Domino IIOP is used to pre-populate drop-down lists shown when users personalize the collaborative portlets.

Windows: Any Lotus Domino data source servers must have HTTP, LDAP, and Lotus Domino IIOP enabled.

Linux: Any Lotus Domino data source servers must have HTTP, LDAP, and Lotus Domino IIOP enabled.

i5/OS: Any Lotus Domino data source servers must have HTTP and Lotus Domino IIOP enabled, and must use an LDAP user registry.

User directory considerations

Directory considerations for Lotus Domino LDAP

From the portal perspective, there are two types of Lotus Domino servers: the Lotus Domino server as a user repository (Lotus Domino Directory server as an LDAP server), and any Lotus Domino server that acts as a Lotus Domino data source for portlets: such a server is called a messaging/application server.

Because WebSphere Portal Express supports the use of Lotus Domino Directory as an LDAP server, you can set up the portal to use a Lotus Domino server as the user repository for users who access both the portal and any portlets that access Lotus Domino and the Extended Products.

You can use a Lotus Domino server with LDAP enabled both as the user repository for the portal and for auto-detection of users' mail files, unless your portal user repository is so large that you want to use separate machines for performance reasons (see Performance considerations).

Directory considerations for Lotus Sametime and Lotus QuickPlace

If you will be using portlets for Lotus Domino and Lotus Sametime only, the Lotus Sametime user directory can be any supported LDAP (including Lotus Domino) directory, or a native Lotus Domino directory. But it is recommended that Lotus Sametime use the same directory as the one configured for the portal, to avoid the additional configuration necessary to support both directories.

If you will be using portlets for Lotus Domino, Lotus Sametime, and Lotus QuickPlace, the Lotus Sametime user directory must be an LDAP directory and Lotus QuickPlace must share that directory. This is a requirement to get awareness and online meetings working within Lotus QuickPlace.

For an LDAP other than Lotus Domino, such as Tivoli Directory Server to work properly with Lotus QuickPlace, modify the qpconfig.xml file on the Lotus QuickPlace server as part of its server setup; this is an additional task to those described in Integrating the Lotus QuickPlace server and portlets. For more information on modifications to the file to support your portal LDAP directory, see Customizing Lotus QuickPlace management of user directory lookups in the QuickPlace 7.0 Administrator and Developer Documentation.

About security through SSL and other features

Whether your site includes single, dual, or multiple types of user directories, SSL is recommended, and you enable it the same way.

If you will use Lotus Sametime and Lotus QuickPlace together, and you enable SSL on one of the servers, also enable it on the other server.

If your site will use IBM Tivoli Access Manager for e-business or Computer Associates eTrust SiteMinder for additional security, set up such protection on servers in the following order: WebSphere Portal Express, Lotus Sametime, Lotus QuickPlace, and then Lotus Domino servers. In addition, if you use eTrust SiteMinder, portlets such as Lotus Notes View will be unable to take advantage of features supported by DIIOP. For information on those features, see the Lotus Notes View topic.

If your site will use Tivoli Access Manager or another reverse proxy, or a load balancer, when installing Lotus Sametime, select the option "Allow HTTP Tunneling on a Lotus Sametime server with a single IP address." With this option selected, all Lotus Sametime client data, except A/V data, is tunneled to the Lotus Sametime server via HTTP on port 80. You also may need to enable this option if Lotus Sametime clients must connect to the server through a network that blocks TCP communications on ports 8081 and 1533.

About user authentication through Single Sign-On (SSO)

Single sign-on between the Lotus Domino environment and the portal environment allows users to log in to the portal, and then work in any of the collaborative portlets without having to authenticate a second time. Although enabling single sign-on is not required to use all the collaborative portlets, it is strongly recommended as a way of improving the user experience. My Lotus QuickPlaces, Lotus Notes View, and Domino Web Access require single sign-on support. SSO is also required if you use a mix of Lotus Sametime and Lotus QuickPlace portlets with both servers.

To support single sign-on, a Web SSO configuration document must exist for each Lotus Domino domain that includes Lotus Domino servers. The Web SSO configuration document is a domain-wide configuration document stored in the Lotus Domino Directory. This document, which you can replicate to all servers participating in the single sign-on domain, is encrypted for participating servers and administrators, and contains a shared secret key used by servers for authenticating user credentials.

In addition to the Web SSO configuration document for Lotus Domino servers, create, save, and export an LTPA key from WebSphere Application Server, and then import that WebSphere LTPA key into the Lotus Domino domain or domains. For each Lotus Domino domain that is set up for use with the portal, the same WebSphere LTPA key must be imported to support single sign-on.

A best practice is to install and configure all servers prior to enabling single sign-on. For example, install and configure Lotus QuickPlace and Lotus Sametime before you enable single sign-on.

If you complete the required single sign-on configuration between the Lotus Domino environment and portal environment, there is no procedure to disallow automatic login for a specific user. For example, if user A logs in to the portal, user A will always be logged in to the Lotus Domino environment.

Tip: Managing Single Sign-On and awareness when there are multiple types of directories. If there is an LDAP directory server other than Lotus Domino in place, for example Tivoli Directory Server, you could employ several strategies to integrate it with a native Lotus Domino Directory and therefore achieve single sign-on (SSO) and awareness across any collaborative portlets your organization uses. The Lotus Domino Directory Assistance functionality may provide a solution for name mapping across LDAP directories. Even when your organization, as a matter of policy, manages modifications primarily through an existing non-Lotus Domino LDAP directory, schema in the non-Lotus Domino directory can be customized and then work in concert with Directory Assistance, which can manage the name mapping for collaborative applications. For a number of creative multi-directory solutions, including information on supporting single-sign on for awareness through the Lotus Sametime and Lotus QuickPlace servers if your organization uses them, see the IBM developerWorks article Single Sign-on in a Multi-Directory World.

Performance considerations

When integrating Lotus Domino into your portal environment, consider performance when deciding how many and which servers you need.

For example, to use a Lotus Domino LDAP server as the user directory (repository) for the portal, install portal on a separate machine from the Lotus Domino LDAP server configured to support collaborative features in the portlets. The Lotus Domino LDAP server for the portal user directory should reside on a machine that is dedicated to serving the portal environment and all its users.

i5/OS: It is recommended that a specific Lotus Domino server be created to run the collaborative components, and that it should reside on the same i5/OS server as WebSphere Portal Express.

Performance of Lotus Sametime and Lotus QuickPlace

If you will use Lotus Sametime and Lotus QuickPlace together, install these servers on separate machines, and configure both servers to use the same LDAP directory.

People Finder considerations

Configuration of Member Manager, a component used to manage the common user repository of the portal, is a prerequisite for the People Finder portlet, which searches for people in the repository. See the topic Member Manager and People Finder.

Parent topic: Information roadmap: Domino Integration Related concepts
Domino-WebSphere Portal Express Integration wizard overview Planning names for servers and users in a Lotus Domino site Planning for single sign-on Overview of cooperative portlets Related reference
Member Manager and People Finder

Library | Support | Terms of use |